Canadian Data Residency Requirements: A few more thoughts on a tricky subject

A perennial issue for new entrants into the Canadian market is whether there are Canadian requirements that would prevent data leaving Canada. Prospective non-Canadian purchasers or service providers are sometimes met with the objection that organizations are prohibited from transferring data outside of Canada. If true, any prohibition on data transfer could be a serious obstacle to a merger or a services agreement.

If moving data across national borders is important to the acquirer of a business, it will be critical to consider whether there are any restrictions or data residency requirements that must be considered. The inability to consolidate human resources data or customer data on a global platform hosted outside of Canada may affect operational costs in a material way. Even if a company operates only in Canada, the issue of data residency may affect the ability of the organization to make use of cloud-based services that are hosted outside of or, in some cases, even transmitted through the United States or other countries.

The bad news is that the prohibition on transferring data outside of Canada is sometimes valid. The good news is that in almost all cases, any prohibition will not be absolute. And, in many applications and contexts, there may be no prohibition at all with respect to using foreign-based services or storage. The confusion stems from a patchwork of laws that either prohibit or inhibit the transfer of data across borders.

Cassie IAPP Leaderboard - Future-proofing your data, 2025 and beyond

Data Residency Requirements

Data residency requirements in Canada fall into three categories. First, there are a number of statutes and regulations that contain requirements to maintain records in Canada. These statutes and regulations do not prohibit the data from being accessible outside of Canada. Copies of data could be maintained outside of Canada as part of a company’s archive, or copies may be transferred for use by a affiliate or third-party service provider. However, the sole copy of the records cannot be maintained outside of Canada.

Another category of data residency requirements involves a relatively small number of statutes that require personal information to be kept in Canada and prohibit any transfers or disclosures of that data to a foreign jurisdiction or access to the data from a foreign jurisdiction. These restrictions are found in three provinces. In two provinces they apply solely to public institutions. In a third province, they apply to health information custodians. With few exceptions, these laws require the consent of the individual before his or her personal information is accessed from or transferred outside of Canada.

A third category of data residency requirements involves policies, standards or contractual promises that have been created or entered into by organizations and private institutions that prohibit the transfer of data outside of Canada due to concerns relating to safeguarding the information. This category is amorphous and usually involves a misunderstanding of the organization as to the real risks related to the storage or processing outside of Canada. In other cases, the restriction is based on an organization’s concern regarding the ability to maintain an adequate level of control over the data and enforce its rights with respect to the data. These should be resolvable through contractual provisions, including audit rights. In other cases, the concern is largely one of fear of access to the data by foreign governments, particularly without the knowledge of the organization.

Requirements to Maintain Records in Canada

Privacy professionals should be aware of data residency requirements in income tax, excise tax and other regulatory legislation. For example, subsection 230(1) of the Canadian federal Income Tax Act, RSC 1985, c 1 (5^th Supp), states that:

Every person carrying on business and every person who is required, by or pursuant to this Act, to pay or collect taxes or other amounts shall keep records and books of account (including an annual inventory kept in prescribed manner) at the person’s place of business or residence in Canada or at such other place as may be designated by the Minister, in such form and containing such information as will enable the taxes payable under this Act or the taxes or other amounts that should have been deducted, withheld or collected to be determined.

A similar provision is contained in section 98 of the Canadian federal Excise Tax Act, RSC 1985, c E-15. Environmental, occupational health and safety, export/import, and many other legislative provisions may similarly require records to be kept at a place of business in a province (in the case of provincially regulated matters) or in Canada (in the case of federally regulated matters).

In interpreting the phrase “at the person’s place of business or residence in Canada” the Canada Revenue Agency (CRA) has taken the position in Information Circular “IC05-1R1 Electronic Record Keeping” that there is a difference between records being accessible from Canada and records being maintained in Canada. Only the latter will satisfy the legislation unless the CRA has provided the organization with permission to store the records outside of Canada.

If an organization wants permission to keep records in a different location than its place of business in Canada, the organization must make a written request to a local tax services office. The tax services office will advise whether it grants permission. The CRA may impose certain stipulations as a condition of granting permission. The CRA has stated that it is its policy not to grant permission to keep records outside of Canada to registered charities, registered Canadian amateur athletic associations, municipal or public bodies performing a function of government or certain housing corporations that have tax exempt status. I am not aware of any public statement regarding the reasons for having taken this position.

The CRA’s position completely ignores the reality that few large organizations would have their electronic records on-premises. A large organization is much more likely to either maintain its own off-site servers or lease servers from an infrastructure services provider. Moreover, the stratification of expertise in information technology means that it will be more prudent for many small and midsize businesses to outsource their information technology requirements. From the perspective of ensuring the security and integrity of this data, the CRA and businesses may be better served by cloud-based models managed by experts.

The issue has not yet been settled; however, the requirement to maintain electronic records in Canada may not require that an organization keep its active production database in Canada. Generally, an electronic copy of a record is treated under Canadian legislation to be equivalent to the record provided that there are sufficient guarantees of its authenticity and the integrity of the system in which it is maintained.

The better view of the requirements under the Income Tax Act and the Excise Tax Act is that a copy of records maintained in Canada in a format that can be useable by CRA auditors should be sufficient, provided, of course, that the information is adequate to support the taxpayer’s filing position. No permission ought to be required in this case. However, the CRA’s view appears to be that even in these circumstances its permission is required. Therefore, organizations should consider obtaining professional advice before transferring accounting records outside of Canada until CRA publicly clarifies its position. Similar considerations apply to other regulatory requirements to maintain records in a province or Canada.

Prohibitions on Transfer to or Access from Outside of Canada

Three provinces in Canada have express prohibitions that prevent data from being transferred outside of Canada or accessed outside of Canada in certain circumstances. The British Columbia Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165, and the Nova Scotia Personal Information International Disclosure Protection Act, SNS 2006, c 3, apply to public bodies in those provinces. Section 30.1 of the BC statute and subsection 5(1) of the Nova Scotia statute require public bodies in those provinces to ensure that personal information in their custody or under their control is stored only in Canada and accessed only in Canada. Governmental bodies and agencies as well as a broad range of public institutions, such as public schools, universities and hospitals, are affected by this legislation.

New Brunswick has enacted a similar provision in s. 55(2) of its Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05. This provision applies to custodians of personal health information. Custodians include regulated health professionals as well as institutions such as hospitals and a broad group of other institutions in the public healthcare system. Arguments have been made that there are implicit data residency requirements in other provincial legislation, such as Ontario’s Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A. However, the restrictions in Ontario and other provinces can usually be managed by ensuring appropriate safeguards and contractually preventing the entity hosting the data from using it for a purpose other than as a service provider to the institution.

The prohibition on storage and access affects the ability of public institutions and, in New Brunswick, health information custodians to use cloud-based services hosted outside of the country. In addition, theoretically it prohibits these public institutions from transferring personal information via the Internet, including through VPNs, unless the provider can guarantee that the data will not be routed through the United States. This is because data travelling over the Internet or a VPN through the United States could, theoretically, be intercepted, including by U.S. law enforcement or intelligence agencies. Therefore, even if the brief copies made of the packets of data during transmission do not qualify as “storage,” the fact that the transmission could be intercepted means that the data could be exposed to access outside of Canada. Encrypting the data is not a solution because privacy commissioners still consider encrypted personal information to be personal information, which could be (theoretically) at risk of decryption by a powerful computer.

The main exception to these data transfer rules is consent of the individual about whom the information relates. Generally, consent must be in a specified form. For example, under the BC statute, the consent must be in writing and specify:

an effective date (and any expiry date);
the personal information that is subject to the consent;
who may store or access the personal information;
the jurisdiction in which the personal information may be stored or from which it may be accessed, and
the purpose for the storage or access.

Other exceptions under the British Columbia statute include disclosures outside of Canada for the purposes of (i) payments to be made to or by the government of British Columbia or a public body, (ii) authorizing, administering, processing, verifying or canceling such payments, or (iii) resolving an issue regarding such payments.

Beyond these statutory exceptions, the Information and Privacy Commissioner of British Columbia has very sensibly concluded that data tokenization techniques could be used in connection with cloud-based “software as a service” applications to permit compliance with the act by public institutions in British Columbia. This technology involves replacing the personal information with random data when it is stored and processed outside of Canada. A “cross-walk” table allowing for the random data to be replaced with the personal information when it is displayed to a user in Canada is retained on the public bodies’ information technology systems in Canada and is not accessible to the foreign institution.

Policies, Standards and Contracts

In addition to statutory data residency requirements, organizations may have policies and standards that prohibit the transfer of data outside of Canada. These types of policies are common in the public sector. For example, the Government of Alberta has issued “Managing Contracts Under the FOIP Act”, which provides guidance on the government’s expectations for contracts that are entered into by public sector organizations subject to Alberta’s Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25. In the guidance document, the government cautions public institutions regarding outsourcing contracts with vendors outside of Canada because of the potential of competing legal obligations, among other things. The government suggests that a Minister may consider approving an arrangement for the processing or storage of personal information outside of Canada where the risks associated with the data are low based on one or more of the following factors: the contract involves a relatively small number of individuals; the sensitivity of the information is low; the nature of the service means that the retention of the data by the service provider will be brief, or the service requires expertise that is not available in Canada (at p. 40). The government guidance goes as far as to suggest that amendments in 2006 to Alberta’s legislation would prohibit a service provider outside of Canada from disclosing personal information in response to a valid foreign order. Those amendments prohibit the disclosure of personal information in response to a subpoena, warrant or order only if the court or tribunal has the power in Alberta to require production of the information. The government’s guidance suggests that these provisions should be interpreted as prohibiting a third-party service provider in a foreign jurisdiction from disclosing information in response to a valid order in that foreign jurisdiction (at p. 40). If that were true, then it would be impossible to use an outsourcing company in the U.S. or for that matter in any other province of Canada. The government’s guidance position is not reasoned; however, public bodies subject to the Alberta Freedom of Information and Protection of Privacy Act should seek legal advice before deciding whether to rely on another interpretation of the 2006 amendments.

Another way that data residency requirements may arise is contractual. The organization may be a service provider to other organizations and have entered into services agreements requiring the storage of personal information in Canada. These types of agreements are common in the financial services, health and education sectors. They are also frequently inserted into government contracts even in situations in which there are no statutory data residency requirements.

These policies, standards and contractual restrictions need not be treated as absolute prohibitions. With creativity and a willingness to be open, transparent and subject to the laws of Canada, it may be possible to design a regime with sufficient contractual guarantees and commitments to administrative, physical and technical safeguards whereby privacy should not be a barrier to international trade and commerce along the 49^th parallel.

Conclusion

As with many issues in privacy law, context is important! Organizations considering transferring data across borders have many issues to consider. The question of whether there are applicable data residency requirements will likely not be a straightforward legal question. It will depend on a host of factors. However, the good news is that for most private sector organizations, the main issues will arise in government contracts and in the management of personal health information. Although there will be residual issues relating to the location of tax records, these may be addressed by obtaining legal advice on the sufficiency of the arrangements and, if necessary, permission from the Canada Revenue Agency.